Dell is posting unsigned updates to their website which fail to install

&gt;Bad news: Dell is posting unsigned update executables to their website labeled “critical” which then fail to install due to the good news<p>If I were a hacker with no access to the signing keys, I&#x27;d probably label my updates as critical too, so you would try to find a way around the update signing.

yesterday they were also serving a update catalog index that did not match it&#x27;s signature <a href="https:&#x2F;&#x2F;downloads.dell.com&#x2F;catalog&#x2F;CatalogIndex.gz" rel="nofollow">https:&#x2F;&#x2F;downloads.dell.com&#x2F;catalog&#x2F;CatalogIndex.gz</a> &#x2F;&#x2F; <a href="https:&#x2F;&#x2F;downloads.dell.com&#x2F;catalog&#x2F;CatalogIndex.gz" rel="nofollow">https:&#x2F;&#x2F;downloads.dell.com&#x2F;catalog&#x2F;CatalogIndex.gz</a> -- but that was fixed after I complained<p>and their idrac based firmware updater downloads http(s):&#x2F;&#x2F;downloads.dell.com&#x2F;Catalog&#x2F;Catalog.xml.gz without checking the signature -- and by default without verifying https certificates when using https :D

Wow that’s almost as bad as Firefox five years ago … except this probably doesn’t compromise privacy addons that will get someone killed.<p><a href="https:&#x2F;&#x2F;hacks.mozilla.org&#x2F;2019&#x2F;05&#x2F;technical-details-on-the-recent-firefox-add-on-outage&#x2F;" rel="nofollow">https:&#x2F;&#x2F;hacks.mozilla.org&#x2F;2019&#x2F;05&#x2F;technical-details-on-the-r...</a>

Dell must have calculated that Microsoft will take the blame for this.

I mean, someone is, who knows if it is Dell or not. probably Dell doesn&#x27;t know either, based on their usual software quality.

Or the upload to their CDN was truncated or corrupted, and the signature check worked as designed.<p>But let&#x27;s not let an opportunity to paint Dell as some evil yet incompetent corporation slip through our fingers.